Meraki

Community

VPN - User restrictions

HarryCarter
Conversationalist
‎Jul 20 2020 2:08 PM
‎Jul 20 2020 2:08 PM

VPN - User restrictions

Dear Community,

 

We have Active Directory enabled on our Meraki environment. 

 

Before this, we gave VPN access via creating accounts for who needed it. 

 

Now everyone with an AD account seems to have access to authenticate. 

 

I have 2 questions - 

 

How do we restrict which users can authenticate with this?

 

Can we use group policy to apply layer 3 firewall rules per "user"? (I can only see a way to do this per "client")

 

Thanks for your help in advance.

0 Kudos
2 Replies 2
Nash
Kind of a big deal
‎Jul 20 2020 6:43 PM
‎Jul 20 2020 6:43 PM

I strongly recommend using NPS or another RADIUS server instead of using the Active Directory sync for client VPN. NPS is especially easy if you've already got an AD environment. 

 

You tell RADIUS which group gets access to the VPN, then you're off to the races.

 

If your users already belong to groups (such as IT, Accounting, HR...), then add those groups to your VPN users group. It's easier to maintain in the long run versus adding individual users.

 

If you don't use RADIUS, you have to modify your AD groups so your ldap admin only has read permissions on groups containing your authorized users. This is annoying and I do not recommend it.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
Roger_Beurskens
Building a reputation
‎Jul 21 2020 2:08 AM
‎Jul 21 2020 2:08 AM

If possible you really want to go the Radius way.

 

When using NPS, you can pretty easy use MFA through Microsoft 365 with AD sync.

I also see this is as a big plus.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.